The evolution of OpenID: you’re not a URL after all

The US government has just announced a pilot program to integrate OpenID (and Information Cards) into public government web sites. This is very interesting news, as it will likely catalyze even greater OpenID deployment and use. [I’ve poo-poo’ed OpenID here and here, because of phishing and privacy concerns. I’m still very worried. I’ve suggested ways to defend OpenID against phishing, and I helped Creative Commons deploy a privacy-conscious OpenID service.] What’s fascinating to me is the evolution of OpenID. The pitch used to be “log in with your URL.” The backend protocol was cool, but it didn’t really matter. Authentication … Continue reading The evolution of OpenID: you’re not a URL after all

Don’t Hash Secrets

Building secure systems is difficult. It would be nice if we had a bunch of well-designed crypto building blocks that we could assemble in all sorts of ways and be certain that they would, no matter what, yield a secure system overall. There are, in fact, folks working on such things at a theoretical level [Universal Composability]. But even if you had these building blocks, you would still have to use them in their intended way. A component can only be secure under certain well-defined circumstances, not for any use that happens to look similar. One area of secure protocol … Continue reading Don’t Hash Secrets

Open(Social) Will Win ; and now Privacy?

If you’re hooked into the social networking world, you know about Facebook and the Facebook platform, which lets developers create all sorts of applications that make use of your Facebook social network in interesting ways. Flixster, for example, lets you share and compare your movie tastes with your existing Facebook friends. No need to reconnect to your friends in every web-based application. But there is one problem: if you write a Facebook application, you’re pretty much stuck with Facebook. Facebook never lets the application see the user’s email address or Instant Messenger account name, or any other fields that would … Continue reading Open(Social) Will Win ; and now Privacy?

The Password Anti-Pattern and the Login Redirection Anti-Pattern

A few weeks ago, I wrote about about how web sites that manage your data should be more open in order to better protect you. Not so surprisingly, I’m not the only one thinking about this issue. Jeremy Keith has a fantastic detailed write-up regarding what he calls the “password anti-pattern.” It gets at the same fundamental issue I was talking about, but with more interesting detail. It lays out the problem concisely and clearly: [Asking for gmail passwords from your users] teaches people how to be phished. And it mentions OAuth, an effort I only recently learned about, which … Continue reading The Password Anti-Pattern and the Login Redirection Anti-Pattern

Facebook Platform: bad login practices, OpenID doesn’t work

Facebook launched a platform that lets third-party developers add Facebook applications. This is visionary, and it’s very very cool (though I’m not sure it’s the revolution everyone is talking about.) The problem, of course, is authentication. Take a look at the Zoho Facebook application. Zoho is a separate company. They have their own accounts. So now they have to associate an existing Facebook account with an existing Zoho account. The only way they can do this currently is to ask for the Zoho password from within the Zoho Facebook application, which is served from So now verifying the URL … Continue reading Facebook Platform: bad login practices, OpenID doesn’t work

BeamAuth: Two-Factor Web Authentication with a Bookmark.

(There’s always a dilemma between “publishing soon” and “polishing for peer review.” This is my first attempt at blog-based collaborative peer-review. Let’s see how it goes!) The Problem Phishing is a serious issue, and it’s only getting worse. Through various means, Alice ends up at a spoofed web site she thinks she recognizes (usually her bank). She inevitably ends up providing her login credentials, which the attacker can then use to perform (malicious) actions on Alice’s behalf. Theoretically, assuming Alice’s browser is relatively secure, she could check the URL and the SSL certificate and defend against these kinds of attack. … Continue reading BeamAuth: Two-Factor Web Authentication with a Bookmark.

2007: Controlled End-User Web APIs for Private-Data Mashups

As far as technology goes, 2007 will be about web security. With everyone storing more and more personal data on various web sites, and with the continuing innovation of mash-ups, it’s inevitable. And it won’t be the web security issues of the last few years, either, it will all be about how to do private-data mash-ups securely. Case in Point: Google just patched a serious security problem that allowed an Evil Web Site (EWS) to access your gmail contact list, as long as you were logged into gmail and you simply visited the EWS. The root cause: Google wanted one … Continue reading 2007: Controlled End-User Web APIs for Private-Data Mashups